Splunk Observability Cloud Certified Metrics User — Question 38

An analyst is investigating a network alert for suspected lateral movement from one Windows host to another Windows host. According to Splunk CIM documentation, the IP address of the host from which the attacker is moving would be in which field?

Answer options

• A. host
• B. dest
• C. src_nt_host
• D. src_ip

Correct answer: D

Explanation

The correct answer is D, src_ip, as it specifically indicates the source IP address from which the attack is originating. The other options do not accurately represent the originating host's IP: A refers to the general host name, B indicates the destination host, and C represents the source network host but not explicitly the IP address.